GDPR Compliance

Effective Date: May 25, 2025 | Last Updated: May 25, 2025

Introduction & Scope

This GDPR compliance documentation outlines how Aura HR, a software-as-a-service (SaaS) platform operated by Aurelium Technologies, ensures the lawful, secure, and transparent processing of personal data in alignment with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Aura HR is an AI-powered virtual HR assistant designed to automate and enhance HR support for client organizations. Through natural language interaction, Aura helps employees and HR teams access company policies, labor law guidance, and other HR services around the clock.

Complete EU Data Sovereignty

Aura HR has designed its platform to ensure complete EU data sovereignty. Unlike many AI platforms that rely on third-party APIs located outside the EU, Aura operates proprietary AI models hosted exclusively on AWS infrastructure within European Union regions.

All document processing occurs in AWS EU regions
All AI model inference occurs in AWS EU regions
All data storage (vectors, graphs, databases) occurs in AWS EU regions
No API calls to external or non-EU services
Zero cross-border data transfers

Data We Process

Aura HR processes personal data on behalf of client organizations. Categories include:

User Identification Data: Name, email address, company domain, user role
Employment Information: Leave balances, department, job title (when integrated with HRIS)
Usage Data: Interaction logs, timestamps, frequency of use
Document Content: Extracted HR policy content and labor regulations

Note: Aura HR does not process or store sensitive categories of personal data (e.g., health data, biometric data).

Legal Basis for Processing

We process personal data lawfully under the following legal bases:

Contractual Necessity: Providing the HR assistant service as part of the SaaS agreement
Legitimate Interest: Platform functionality, usage analytics, security monitoring
Legal Obligation: Compliance with data access logs and security requirements

Your Rights Under GDPR

Data subjects have the following rights:

Right to Access: Obtain confirmation and a copy of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion when no longer necessary
Right to Restrict Processing: Temporarily limit processing under certain conditions
Right to Data Portability: Receive data in a structured format
Right to Object: Object to processing based on legitimate interest

For employees: Contact your HR department to exercise these rights.
For client administrators: Contact us at ask@aurelium.tech

Data Retention

Data Type	Retention Period
User profile data	Active account duration
Chat interaction logs	12 months
Uploaded documents (original)	Deleted immediately after processing
Vectorized data	Duration of client contract
Access & audit logs	12 months

Security Measures

We implement comprehensive security controls:

Encryption: AES-256 at rest, TLS 1.2+ in transit
Access Control: Role-based access with mandatory 2FA
Infrastructure: AWS EU data centers exclusively
Monitoring: Continuous security monitoring and audit logging
Backup: Daily encrypted backups with EU redundancy

Data Subprocessors

We work with carefully selected subprocessors, all operating within the EU:

Amazon Web Services (AWS): Cloud infrastructure and AI model hosting (EU regions)
Pinecone: Vector database for semantic search (EU, AWS eu-west-1)
Neo4j: Graph database for relationship mapping (EU, AuraDB)

All subprocessors are bound by Data Processing Agreements (DPAs) with strict privacy and security obligations.

Data Breach Notification

In the event of a personal data breach, Aura HR will notify affected client organizations without undue delay, and within 48 hours of confirmation. We maintain a structured Incident Response Plan with clearly defined roles and escalation paths.

Contact

For questions about our GDPR compliance or to exercise your rights, please contact:
Email: ask@aurelium.tech